[Date Prev][Date Next] [Chronological] [Thread] [Top]

Access Control and LDAP schema

To: ietf-asid@netscape.com, ietf-ldapext@netscape.com
Subject: Access Control and LDAP schema
From: Alan Lloyd <Alan.Lloyd@OpenDirectory.com.au>
Date: Thu, 12 Feb 1998 09:13:57 +1100
Delivered-to: ldapext-archive@critical-angle.com
Resent-date: Wed, 11 Feb 1998 14:18:42 -0800 (PST)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"CZKN6.0.bq5.1FYuq"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

	Dear All - one aspect of access control is the ability to define
permissions and denials at the attribute type and value level.

	One area that could get messy - I perceive, is the way in which
the labels are applied in LDAP schema. Obviously if the issue is one of
storage methodology ie. is telephonenumber: 1234($home) just stored as a
complete string or are they (within the LDAP server) separated.

	Naturally if they are all stored as a string together and access
controls are applied on $xxxx, $yyyyy - then  substring searches will
have to be applied. This may work for  sub 10,000 entry DSAs, but when
one hits millions or tens of millions of entries  - string based labels
embedded in string based attribute values will hit hard.

	With defined types (x.500 style)  for phone numbers, etc  and
defined contexts things seem to scale - 


	Has anyone done any modeling with LDAP servers re eg. 100,000
entries with five types of phone numbers in each entry  - using the
$label mechanism, applying access control regimes with $label parameters
and seeing what happens on "get me all the Home phone numbers from
entries below xyz..

	 
	It would be a serious issue if the schema and access control
design of LDAP did not scale.

	Thoughts are welcome.

	regards alan

Prev by Date: minor comments on caching draft
Next by Date: Re: minor comments on caching draft
Index(es):
- Chronological
- Thread